Class: Dcmgr::VNet::Tasks::SecurityGroup

Inherits:

Dcmgr::VNet::Task

• Object
• Dcmgr::VNet::Task
• Dcmgr::VNet::Tasks::SecurityGroup

Includes:

Netfilter

Defined in:

lib/dcmgr/vnet/tasks/security_group.rb

Instance Attribute Summary

Attributes inherited from Dcmgr::VNet::Task

#rules

Instance Method Summary

• #initialize(group_map) ⇒ SecurityGroup constructor

  A new instance of SecurityGroup.

Constructor Details

#initialize(group_map) ⇒ SecurityGroup

Returns a new instance of SecurityGroup.

# File 'lib/dcmgr/vnet/tasks/security_group.rb', line 9

def initialize(group_map)
  super()
  group_map[:rules].each { |rule|
    case rule[:ip_protocol]
    when 'tcp', 'udp'
      if rule[:ip_fport] == rule[:ip_tport]
        self.rules << IptablesRule.new(:filter,:forward,rule[:ip_protocol].to_sym,:incoming,"-p #{rule[:ip_protocol]} -s #{rule[:ip_source]} --dport #{rule[:ip_fport]} -j ACCEPT")
      else
        self.rules << IptablesRule.new(:filter,:forward,rule[:ip_protocol].to_sym,:incoming,"-p #{rule[:ip_protocol]} -s #{rule[:ip_source]} --dport #{rule[:ip_fport]}:#{rule[:ip_tport]} -j ACCEPT")
      end
    when 'icmp'
      # icmp
      #   This extension can be used if `--protocol icmp' is specified. It provides the following option:
      #   [!] --icmp-type {type[/code]|typename}
      #     This allows specification of the ICMP type, which can be a numeric ICMP type, type/code pair, or one of the ICMP type names shown by the command
      #      iptables -p icmp -h
      if rule[:icmp_type] == -1 && rule[:icmp_code] == -1
        self.rules << IptablesRule.new(:filter,:forward,rule[:ip_protocol].to_sym,:incoming,"-p #{rule[:ip_protocol]} -s #{rule[:ip_source]} -j ACCEPT")
      else
        self.rules << IptablesRule.new(:filter,:forward,rule[:ip_protocol].to_sym,:incoming,"-p #{rule[:ip_protocol]} -s #{rule[:ip_source]} --icmp-type #{rule[:icmp_type]}/#{rule[:icmp_code]} -j ACCEPT")
      end
    end
  }
end